Doctor Won't Be Fined in HIPAA Case Involving Campaign

A physician who used her patients' information to aid her successful 2015 political campaign for Virginia state senator in violation of the HIPAA Privacy Rule won't be sanctioned by federal regulators.

Siobhan Dunnavant, M.D., a Richmond, Va.-area obstetrician-gynecologist, was investigated by the Department of Health and Human Services' Office for Civil Rights after at least two complaints were filed with OCR in 2015, when she used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes for a her campaign as a Republican candidate for state senate, according to the Richmond Times-Dispatch.

Dunnavant, who was subsequently elected to the state senate position, and her attorney received a letter in December from a regional OCR office saying Dunnavant's decision to share her patients' information with her campaign and a direct-mail company was impermissible under HIPAA, the newspaper reports. Federal regulators, however, chose not to levy sanctions against the doctor because she took "immediate action" to minimize the damage, according to the report.

OCR in a statement to ISMG says that in this case, "OCR obtained a satisfactory resolution through the covered entity's demonstrated compliance and/or corrective action through informal means. As such, this case did not rise to the level of a resolution agreement and/or civil money penalties for noncompliance. OCR continues to resolve cases through technical assistance and corrective action, as outlined by the HIPAA enforcement rule."

Dunnavant's medical practice and state senate office did not immediately reply to ISMG's requests for comment on Jan. 11.

In a statement provided to Information Security Media Group back in 2015, a spokeswoman for Dunnavant's medical practice said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."

Broader Problem?

While regulatory experts say tapping into patient information for campaign purposes does not appear to be a common HIPAA violation, it's quite common for physicians to run for political office. For example, nearly 20 members of the 114th Congress that just wrapped up were physicians.

The Dunnavant situation offers a caveat for others, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who formerly worked at OCR.

"Always be careful about mixing medicine and politics," he says. "I have heard of at least one other anecdote of a physician using protected health information to communicate for political purposes. Not only does this raise significant risk of violating HIPAA, but it's also a good way to generate patient complaints because politics tends to draw strong disagreements."

Former OCR senior adviser David Holtzman, a privacy attorney and vice president of compliance at the security consulting firm CynergisTek, says he's not aware of any HHS announcements concerning any complaint investigation or compliance review conducted by OCR regarding political activity that has resulted in a formal enforcement action. "Nor has the Department of Justice announced the prosecution of any criminal violation of the HIPAA statutes arising out of a candidate's disclosure of PHI to a political campaign," he notes.

Lessons Learned

The Dunnavant incident offers some important reminders for all covered entities and business associates.

"This is a pretty unusual situation," says privacy attorney Kirk Nahra of the law firm Wiley Rein about the incident involving Dunnavant and her campaign. "It is clearly a violation of HIPAA but it is also a pretty technical violation. This involves 'using' the contact information to send them a letter. It is definitely protected health information if it is a list of your patients, but if that is all it was, then there wouldn't seem to be any real privacy harm - mainly no one else learning anything."

The HIPAA Privacy Rule prohibits a covered entity or their business associate from disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule, Holtzman notes.

"Healthcare providers must be careful when using patient contact information to mail or email anything to the patient - even if no specific diagnostic or payment information is used," he says. Using a patient's address to send marketing communications or other communications unrelated to treatment, payment or healthcare operations without the patient's authorization in not permitted under HIPAA, Holtzman adds.

"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information, including their name and address, to a political campaign without first obtaining the authorization of the patient," he says.

Under HIPAA, offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years. Criminal HIPAA violation cases are investigated and prosecuted by the Department of Justice. Covered entities can also face civil penalties for violations of the HIPAA Privacy Rule and criminal prosecution for the same incident involving the prohibited disclosure of PHI.

Avoiding HIPAA Penalties

"OCR resolves tens of thousands of cases through technical assistance or voluntary corrective action, carefully choosing a small number of cases to seek financial settlement or penalties," he notes.

"They may have decided that this case was not appropriate for financial enforcement for any number of reasons, ranging from the decisive corrective action that they cited in the letter, to believing that Dunnavant may have had a good faith belief that she was complying with the law."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.